Closed wmjordan closed 3 years ago
You have to add armbreaker to your profile. It doesn't work in mactype.ini as an override option.
Oh, usually I put application specific things in the MacType.ini but not in the style related ini file. So I can switch to another one without duplicating those application specific settings around ini files.
As it is an "experimental" option I prefer to keep the experiment in a small scale. 😄 that's why this option can't be globally effective.
I supposed that the following in MacType.ini would be applied to Vivaldi.exe only.
[experimental@vivaldi.exe]
ArmBreaker=1
why this option can't be globally effective.
Oh, I see. You meant that option should not be placed with the MacType.ini file that shipped with the installation package, otherwise all users would be affected.
All options in the experimental section are not stable or may somewhat intrude the system or maybe some sort of hacks that are not suitable for all situations. I personally consider them to be "use with care".
Yes, I understood.
I was adding the above setting snippet into the MacType.ini file manually after installation, not that setting was by default there.
If the setting can be added after installation there by the user, the user can switch ini files without copying those settings around ini files. It is a small case of convenience.
I just put the following setting into the end of my profile ini file (DeepGrayNoHinting.zip), then restarted the service.
[experimental@vivaldi.exe]
ArmBreaker=1
It was not working either.
I tried with your profile and it doesn't work. After fiddling with it a bit, I figured out that you need a stronger armbreaker, 2, to make it happy.
After that, you should be able to see all vivaldi.exe processes are marked as running in macwiz
I tried ArmBreaker=2. It did not work either.
It for sure works. Restart your computer and use service mode.
Unfortunately it just did not work, after restarting my computer.
I am using the service mode.
Just by replacing the armbreaker=1 to 2, it works perfectly with vivaldi on my system.
Since it's very hard to figure out why it doesn't work on yours, I suppose there are software conflict with mactype or maybe your mactype installation is not complete and not all files are up to date.
Both 1 and 2 have been tried. Neither of them worked.
Had you removed the policy in your registry, and started Vivaldi without the --disable-features=RendererCodeIntegrity
argument when you tested it?
The following is the list of files in my MacType folder.
2021/05/07 15:20 8,783 ChangeLog.txt
2021/04/28 14:18 280,064 EasyHK32.dll
2021/04/28 14:17 335,360 EasyHK64.dll
2017/06/02 15:05 88,974 gb.txt
2020/04/26 10:19 135,909 gdi++11px.txt
2017/06/02 15:05 80,896 GdiBench.exe
2017/06/02 15:05 716 GdiBench.ini
2021/06/02 17:57 <DIR> ini
2021/06/02 17:56 <DIR> languages
2021/06/01 16:18 35,149 license.txt
2017/06/02 15:05 15,872 MacLoader.exe
2017/06/02 15:05 69,632 MacLoader64.exe
2021/04/28 14:34 3,081,728 MacTray.exe
2021/06/01 16:18 2,291,200 MacTuner.exe
2021/05/07 14:56 895,488 MacType.Core.dll
2021/05/07 14:59 125,440 MacType.dll
2021/06/03 20:38 1,618 MacType.ini
2021/05/07 14:56 1,058,304 MacType64.Core.dll
2021/05/07 14:59 159,744 MacType64.dll
2017/06/02 15:05 69,120 MacWiz.exe
2021/06/01 16:18 104,960 mt64agnt.exe
2021/06/02 17:57 21,331 unins000.dat
2021/06/02 17:56 1,291,175 unins000.exe
2021/06/01 16:18 686,080 updater.exe
2021/06/02 17:57 343 updater.ini
2020/04/23 17:05 <DIR> updates
I never used Vivaldi before so there is nothing related in my registry.
Made not difference in CentBrowser with or without "--disable-features=RendererCodeIntegrity". What's its exact visual effect?
Centbrowser has no integrity check, so no armbreaker is needed.
MacType64-with-trace.zip @wmjordan Please overwrite mactype64.dll with this one. And observe the debug output with a tool from https://github.com/CobaltFusion/DebugViewPP
When you launch vivaldi, it should give you something like "MS Sign policy mark has been removed."
Thank you for looking into this.
Vivaldi startup argument: vivaldi.exe --disable-lcd-text
Here's the log: DebugView++.log
At the end of DeepGrayNoHinting.ini:
[Experimental@vivaldi.exe]
ArmBreaker=2
This means your profile is buggy, it doesn't detect that you set this flag.
What is this setting supposed to be applied to vivaldi.exe?
The log wrote:
13.837439 2021/06/04 10:28:10.851 12108 vivaldi.exe [MTBootstrap] Creating child process vivaldi.exe...
13.862217 2021/06/04 10:28:10.876 12108 vivaldi.exe [MTBootstrap] [Injector] PID 9048
13.862608 2021/06/04 10:28:10.876 12108 vivaldi.exe [MTBootstrap] Loader is injected at 0x1a70e0c0000
13.862654 2021/06/04 10:28:10.876 12108 vivaldi.exe [MTBootstrap] Injecting to vivaldi.exe success
But from the above screenshot, the PID 9048 was disabled.
This is what it should look like
0.035933 2021/06/04 10:35:39.527 9760 vivaldi.exe [MTBootstrap] dwIntegrityLevel<SECURITY_MANDATORY_SYSTEM_RID -> user process
0.037218 2021/06/04 10:35:39.528 9760 vivaldi.exe [MTBootstrap] Loading on startup
0.058721 2021/06/04 10:35:39.550 9760 vivaldi.exe [MTBootstrap] Load "C:\Program Files\MacType\MacType64.Core.dll" at 0xc9250000, err=0x1e7
0.405115 2021/06/04 10:35:39.896 9432 vivaldi.exe [MTBootstrap] Creating child process vivaldi.exe...
0.407606 2021/06/04 10:35:39.898 9432 vivaldi.exe [MTBootstrap] Policy binary [0]: 0x111000100011000
0.407631 2021/06/04 10:35:39.898 9432 vivaldi.exe [MTBootstrap] Policy binary [1]: 0x10000
0.416387 2021/06/04 10:35:39.907 9432 vivaldi.exe [MTBootstrap] [Injector] PID 9072
0.419007 2021/06/04 10:35:39.910 9432 vivaldi.exe [MTBootstrap] Loader is injected at 0x244e0b70000
0.419213 2021/06/04 10:35:39.910 9432 vivaldi.exe [MTBootstrap] Injecting to vivaldi.exe success
0.420038 2021/06/04 10:35:39.911 9432 vivaldi.exe [MTBootstrap] Creating child process vivaldi.exe...
0.425259 2021/06/04 10:35:39.916 9432 vivaldi.exe [MTBootstrap] [Injector] PID 10612
0.425442 2021/06/04 10:35:39.916 9432 vivaldi.exe [MTBootstrap] Loader is injected at 0x164f6390000
0.425530 2021/06/04 10:35:39.916 9432 vivaldi.exe [MTBootstrap] Injecting to vivaldi.exe success
0.434750 2021/06/04 10:35:39.926 10612 vivaldi.exe [MTBootstrap] Attaching
0.435231 2021/06/04 10:35:39.926 10612 vivaldi.exe [MTBootstrap] dwIntegrityLevel<SECURITY_MANDATORY_SYSTEM_RID -> user process
0.435934 2021/06/04 10:35:39.927 10612 vivaldi.exe [MTBootstrap] Loading on startup
0.453561 2021/06/04 10:35:39.944 10612 vivaldi.exe [MTBootstrap] Load "C:\Program Files\MacType\MacType64.Core.dll" at 0xc9250000, err=0x1e7
0.504616 2021/06/04 10:35:39.996 9432 vivaldi.exe [MTBootstrap] Creating child process vivaldi.exe...
0.505233 2021/06/04 10:35:39.996 9432 vivaldi.exe [MTBootstrap] Policy binary [0]: 0x111000100011000
0.505407 2021/06/04 10:35:39.996 9432 vivaldi.exe [MTBootstrap] Policy binary [1]: 0x10000
0.512060 2021/06/04 10:35:40.003 9432 vivaldi.exe [MTBootstrap] [Injector] PID 12312
0.515769 2021/06/04 10:35:40.007 9432 vivaldi.exe [MTBootstrap] Loader is injected at 0x157971b0000
0.518647 2021/06/04 10:35:40.010 9432 vivaldi.exe [MTBootstrap] Injecting to vivaldi.exe success
0.526848 2021/06/04 10:35:40.018 9432 vivaldi.exe [MTBootstrap] Creating child process vivaldi.exe...
0.526886 2021/06/04 10:35:40.018 9432 vivaldi.exe [MTBootstrap] Policy binary [0]: 0x111100110011000
0.526909 2021/06/04 10:35:40.018 9432 vivaldi.exe [MTBootstrap] MS Sign policy mark has been removed.
0.526931 2021/06/04 10:35:40.018 9432 vivaldi.exe [MTBootstrap] Policy binary [1]: 0x10000
0.532504 2021/06/04 10:35:40.024 9432 vivaldi.exe [MTBootstrap] [Injector] PID 10820
once the armbreaker is activated, you should see logs with Policy binary
in it.
Could you post your ini file and let me test it on my computer?
I made a more detailed one. It should tell you what the armbreaker value really is.
Armbreaker is set to 0
Is the value case-sensitive?
No, it's case-insensitive. I can confirm it.
I reviewed the code related to settings reading, and looks like the option armbreaker
can be read from the global file mactype.ini
, and the setting in the actual profile can override it like other options.
Could it because of the other settings in MacType.ini?
[General]
AlternativeFile=ini\DeepGrayNoHinting.ini
[MacType]
RedrawDelay=5000
AutoEnable=1
HideDenied=1
AutoUnload=1
AutoRun=0
LoadType=1
Use64Agent=1
HideACD=1
Language=2
[UnloadDll]
; List of .exes that don't support MacType, or have no GUI
igfxCUIService.exe
igfxEM.exe
igfxHK.exe
lass.exe
SearchIndexer.exe
OfficeClickToRun.exe
SearchProtocolHost.exe
SearchFilterHost.exe
stacsv64.exe
QHSafeTray.exe
QHWatchdog.exe
QHActiveDefense.exe
SynTPHelper.exe
SynTPEnh.exe
NVDisplay.Container.exe
node.exe
CCXProcess.exe
AdobeIPCBroker.exe
audiodg.exe
fontforge.exe
VirtualBox.exe
VBoxSVC.exe
vmnat.exe
vmnetdhcp.exe
vmware-authd.exe
vmware-vmx.exe
vmware-usbarbitrator64.exe
MsMpEng.exe
pia-service.exe
RuntimeBroker.exe
services.exe
spoolsv.exe
taskhostw.exe
No, this parser reads specifically the values it wants. Here is what this piece of code looks like
//profile parser
void ParseConfig() {
WCHAR szFileName[MAX_PATH] = { 0 };
int nSize = GetModuleFileName(g_inst, szFileName, MAX_PATH);
if (nSize) {
ChangeFileName(szFileName, nSize, TEXT("MacType.ini"));
CParseIni ini;
ini.LoadFromFile(szFileName);
if (ini.IsPartExists(L"UnloadDll"))
LoadIniSection(ini, L"UnloadDll", g_UnloadList);
if (ini.IsPartExists(L"ExcludeModule"))
LoadIniSection(ini, L"ExcludeModule", g_ExcludeList);
if (ini.IsPartExists(L"IncludeModule"))
LoadIniSection(ini, L"IncludeModule", g_IncludeList);
g_HookChildProc = ini[L"General"][L"HookChildProcesses"].ToInt(0);
g_nArmBreaker = ini[L"Experimental"][L"ArmBreaker"].ToInt(0);
g_bUseInclude = ini[L"General"][L"UseInclude"].ToInt(0);
LPCWSTR lpAlter = (LPCWSTR)ini[L"General"][L"AlternativeFile"];
if (lpAlter) {
TCHAR szAlter[MAX_PATH] = { 0 };
wcscpy_s(szAlter, lpAlter);
CParseIni iniAlter;
if (PathIsRelative(lpAlter)) {
TCHAR szDir[MAX_PATH];
wcsncpy(szDir, szFileName, MAX_PATH);
PathRemoveFileSpec(szDir);
PathCombine(szAlter, szDir, szAlter);
}
iniAlter.LoadFromFile(szAlter);
g_HookChildProc = iniAlter[L"General"][L"HookChildProcesses"].ToInt(0);
g_nArmBreaker = iniAlter[L"Experimental"][L"ArmBreaker"].ToInt(0);
g_bUseInclude = iniAlter[L"General"][L"UseInclude"].ToInt(0);
if (iniAlter.IsPartExists(L"UnloadDll"))
LoadIniSection(iniAlter, L"UnloadDll", g_UnloadList);
if (iniAlter.IsPartExists(L"ExcludeModule"))
LoadIniSection(iniAlter, L"ExcludeModule", g_ExcludeList);
if (iniAlter.IsPartExists(L"IncludeModule"))
LoadIniSection(iniAlter, L"IncludeModule", g_IncludeList);
}
}
}
Alright, now it tells you what it reads from your profile and from the global one.
[MTBootstrap] Read armbreaker from mactype.ini: 0 [MTBootstrap] Read armbreaker from profile: 0
Hmm, please upload your mactype.ini and your profile as is.
Here are they.
Why the profile ended with .txt? I mean the exact same file you're using. You could zip it before uploading to preserve its encodings and other info.
Please use this: MacType.zip
Okay, I finally realized that the @ grammar doesn't work for armbreaker. It needs to be added to the bootstrap as well. My bad.
For now, just use it with a regular experimental
section.
[Experimental]
ArmBreaker=2
With the above in the profile, it works on Vivaldi.
So, may I call it case closed?
Will the above setting be applied to all applications on my computer?
Unfortunately, yes.
The bootstrap part doesn't have any per-program config design in it. It needs to be implemented in the next release.
Since ArmBreaker = 1 does not work, and it has to be applied to all applications, I am afraid that we may have to change the Wiki page as well then...
Since ArmBreaker = 1 does not work, and it has to be applied to all applications, I am afraid that we may have to change the Wiki page as well then...
ArmBreaker=1 does work, it's just not powerful enough to make Chrome (and alike) work.
Ok, I realized that I said in the wiki that Chrome needs 1...
Yep, that's it.
It's not any more~
Alright, let's close this now.
Please enable this option per executable so it does not affect system security too severely. Softwares can also use registry to apply mitigation policy to them before they are launched, which can't be intercepted and has to be removed manually from registry (or from group policy editor) The registry path for mitigation policy is SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions\ProcessMitigationOptions under HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER As of RC1, this option doesn't work in mactype.ini globally, you need to add it to your in-use profile.
Maybe "Please enable this option per executable so it does not affect system security too severely" in the Wiki has to be revised as well, since it might mislead other users.
I removed the
--disable-features=RendererCodeIntegrity
from the shortcut of vivaldi.exe and added the following part into the MacType.ini between the[MacType]
and[UnloadDll]
sections.I closed the Vivaldi then restarted the MacType service, then the Vivaldi.
From the Chinese characters on the top-right side of the interface, I felt that MacType was not in effect. The correct effect with
--disable-features=RendererCodeIntegrity
in the shortcut when launching vivaldi was like the following:Changing the option to global did not help either.
Originally posted by @wmjordan in https://github.com/snowie2000/mactype/issues/720#issuecomment-852983636